DDoS attacks are more prevalent than ever and enterprises can't always rely on their service providers for protection. Learn what enterprises should do for effective DDoS mitigation.

Moving unified communications applications to the cloud can simplify business operations. But cloud infrastructure can present vulnerabilities that attract malicious attacks like distributed denial of service (DDoS). And with many enterprises using service providers for their UC applications, DDoS attacks can be more damaging than ever.

As the threat of DDoS attacks loom, there is a disconnect between enterprises and their service providers taking responsibility during an attack, according to a report from DDoS mitigation service provider Black Lotus Communications, which surveyed 129 service providers and the impact of DDoS on their business.

According to the report, many organizations believe they can rely on their service provider to manage a DDoS attack and its impact on their business. But the reality is most providers believe they are solely responsible for making sure their infrastructure remains intact during an attack and that the direct impact of an attack is the customer's responsibility.

"Service providers with undeveloped DDoS mitigation strategies may choose to sacrifice a customer by black hole routing their traffic or recommending a different service provider in order to protect the service of other customers," said Chris Rodriguez, network security senior analyst at Frost & Sullivan. Enterprises can lose anywhere from $100,000 to tens of millions of dollars per hour in an attack, the report found.

If you've gotten a gentle probe, then attackers may be coming after you.
Johna Till JohnsonCEO, Nemertes Research

Just over one-third of service providers reported being hit with one or more DDoS attacks weekly, according to the report. Managed hosting services, VoIP and platform as a service were the three industries most affected by DDoS.

During an attack, 52% of service providers reported temporarily blocking the targeted customer, 34% reported removing the targeted customer, 32% referred customers to a partner DDoS mitigation provider and 26% encouraged an attacked customer to find a new service provider. But by removing or blocking a customer, service providers have effectively helped the attackers achieve their goal and leave enterprises suffering the consequences, according to the report.

Communicating DDoS concerns

Three-quarters of service providers reported feeling very to extremely confident they could withstand a catastrophic DDoS attack, and 92% of providers have protections in place. But the report found that the majority of providers use traditional protections that have become less effective in mitigating DDoS.

To maximize DDoS protection, Nemertes Research CEO Johna Till Johnson offered four questions that enterprises should ask when evaluating service provider security and DDoS protection.

What protections does the service provider have in place in the event of an attack? Don't be afraid to ask service providers questions regarding the DDoS mitigation products and services they use, what their DDoS track record is or how many clients have been victims of an attack. "If they refuse to answer, it tells you something about the vendor," Johnson said. "Any legitimate provider has this information and will share it with customers."

Is the service provider willing to put DDoS mitigation in a service-level agreement (SLA)? The provider may already include DDoS protection or may require the enterprise to buy a service. But if a provider won't include DDoS mitigation in an SLA, find out why. "If you're not going to put it in black and white, you're at risk," she said.

What third-party services does the provider recommend? Service providers may have third-party partnerships that can deliver DDoS protection.

What is your organization's stance on security? Johnson recommends having a line item in the budget for DDoS that covers a DDoS mitigation service or product.

Making DDoS mitigation plans

If a service provider is hit with a DDoS attack, there are two issues facing enterprises, Johnson said. The first issue is if the enterprise experienced a small hit in the attack. "If you've gotten a gentle probe, then attackers may be coming after you," she said.

Just like when a credit card number is stolen and the thief spends a small amount of money to test the number before making the large, fraudulent charges, attackers are testing for vulnerabilities. Enterprises should immediately figure out where they're at risk and what they can do to protect themselves now, Johnson said.

The second issue, she said, is that DDoS isn't just an attack, it's an earthquake. A disaster recovery plan is required so enterprises know what to do if a core application is suddenly unavailable.

"DDoS attack techniques continue to change, and enterprises must be proactive in their defenses," Rodriguez said.

He said a hybrid approach to DDoS mitigation has emerged as an effective strategy. Hybrid DDoS mitigation requires an on-premises DDoS mitigation appliance to protect an enterprise's infrastructure and a cloud-based DDoS mitigation service that routes traffic to a scrubbing center and returns clean traffic. The on-premises appliance is used during smaller attacks; and when attacks reach a certain size, the appliance can signal for the cloud-based service to take over.

"This allows the organization to use the DDoS services sparingly and only when necessary, with a seamless transition between the two services," he said.

Join the conversation

3 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

From what I noticed the approach seems to be having an extra layer in traffic management that has functions specific to anti-DDoS. I.e. constant monitoring of requests and filtering those matching some patterns. I guess it may also erroneously block a real customer?